MailWatch stopped logging in to MySQL

[branko77]

Today my MailWatch just stopped logging in to MySQL. Last Message that has been logged was few hours ago. My postfix is working fine and I can send and receive messages. I received few of messages with this text: "MailScanner was attacked by a Denial Of Service attack, and has therefore deleted this part of the message. Please contact your e-mail providers for more information if you need it, giving them the whole of this report. Attack in: /var/spool/MailScanner/incoming/36423/4335498CC.AB426/nmsg-36423-81.html " After reboot of my server my NAGIOS is reporting that Clamd is critical with error "connect to address 127.0.0.1 and port 3310: Connection refused" When I check MySQL I can see that last message was logged few hours ago and that is not logging. maillog reports that MailWatch: Logging message 5D18798D8.A7796 to SQL but no logged message i maillog. I didn't made any changes what so ever...

[Skywalker-11]

is the mysql service running?

What version of mysql, os, mailwatch and mailscanner are you using?

[branko77]

Just double checked mysql and mailscanner service... both service are up and running OS: Centos 7.3 MailWatch Version: 1.2.0 - RC4 MailScanner Version: 5.0.3 SpamAssassin Version: 3.4.0 PHP Version: 5.4.16 MySQL Version: 5.6.35

[Skywalker-11]

If you send a mail to that server is there any output in the mail logs?

[branko77]

yes, there are all usual outputs in maillog except tham MailWatch actually logged message to SQL I can see MailWatch: Logging message 3198B98DA.AA0E7 to SQL but no logged

[Skywalker-11]

@stefaweb can you take a look at this?

[mmgomess]

Same thing with me. When I stop and start (not restart) MailScanner get back to work again.

It seems that the problem is also related to the message below: This message MailScanner[24067]: Content Checks: Detected and have disarmed KILLED tags in HTML message in 64E4C260C23.A39FB

MailWatch Version 1.2.0 - RC4 MailScanner Version 5.0.3 ClamAV Version 0.99 SpamAssassin Versio 3.4.1 PHP Version 7.0.8-0ubuntu0.16.04.3 MySQL Version 5.7.17-0ubuntu0.16.04.1

[branko77]

I just did it... There was a problem with clamd.service it stopped and wouldn't turn back on I changed conf file a bit and that solved it. What I changed is: in /usr/lib/systemd/system/clamd.service line ExecStart = /usr/sbin/clamd -c /etc/clamd.d/clamd.conf --nofork=yes to ExecStart = /usr/sbin/clamd -c /etc/clamd.d/clamd.conf --foreground=yes

and uncomment TCPSocket 3310 in /etc/clamd.d/clamd.conf restarted clamd.service (which was in failed state) and now clamd as well as Mailwatch is working as it should...

Thanks for your help guys...

[stefaweb]

I also add problem with clamd and systemd. Some time the uniq solution to go back to normal is to reboot the server. I've not find time to look at this yet. Will try your proposal.

A good system to know if clamd is in trouble. Run clamav_status.php. If the ClamAV Status don't print, this means that clamd is broken somewhere.

systemd is causing a lot of problem with "old" services (courier-pop, imap, bind, etc.) with deb or rpm package not updatedate to work with systemd.

[branko77]

I am using nagios to track clamd service... You can try with check_clamd nagios plugin... It is rather useful

[stefaweb]

I'm using Xymon with all ours services and servers. ;)

[branko77]

Update: Today I experienced similar problem as yesterday... MailWatch stopped logging with no obvious reason... It just stopped, no errors, nothing in maillog... I checked all services (yesterday I had that issue with Clam) but found nothing. I restarted my server and still nothing... And after few hours Mailwatch just started again on itself... Now it is working again with no problems. I am more than confused... Could this be a bug?

[asuweb]

I presume you tried it in debug mode?

[branko77]

If you meen dbitrace.log yes I did. It was unusual but MailWatch started after I turned it off again... I can send it if you want

On Jan 24, 2017 16:11, "asuweb" notifications@github.com wrote:

I presume you tried it in debug mode?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mailwatch/1.2.0/issues/430#issuecomment-274831242, or mute the thread https://github.com/notifications/unsubscribe-auth/AXbXsPbXTW4Ndom5Jf0adWzzxT068_Hbks5rVhSngaJpZM4Lq9fW .

[stefaweb]

Look a this: #346 Also, I've some problem with mailscanner/mailwatch in the PERL parts.

[branko77]

Here is my dbitrace.log during MailWatch malfunctioning. I didn't bother you with a whole log but it keeps going like this... dbitrace.log.txt

[branko77]

Same thing today at approximately same time... MailWatch just stopped logging again with no reason... Now I am waiting for it to start again like yesterday...

[branko77]

Additional info - when this problem occurs users occasionally receives this type of messages: "MailScanner was attacked by a Denial Of Service attack, and has therefore deleted this part of the message. Please contact your e-mail providers for more information if you need it, giving them the whole of this report. Attack in: /var/spool/MailScanner/incoming/10557/0F2F8B33F.AF567/nmsg-10557-174.html"

[mmgomess]

Hi, Branko77.

Stop the Maiscanner. Kill all MailScanner processes that remain in memory and start MailScanner again.

MailWatch will work again.

2017-01-25 8:35 GMT-02:00 branko77 notifications@github.com:

Same thing today at approximately same time... MailWatch just stopped logging again with no reason... Now I am waiting for it to start again like yesterday...

— You are receiving this because you commented. Reply to this email directly, view it on GitHub https://github.com/mailwatch/1.2.0/issues/430#issuecomment-275074244, or mute the thread https://github.com/notifications/unsubscribe-auth/AJSnk9xjqi3cuwWSlEmuO9H6fzc1N73Mks5rVyV1gaJpZM4Lq9fW .

[Skywalker-11]

The message of Denial of Server attack occures if something is blocking mailscanner. Maybe the mailwatch script is not able to connect to mysql and so it hangs in the loop trying to connect to mysql

[branko77]

Stop the Maiscanner. Kill all MailScanner processes that remain in memory and start MailScanner again.

This solved a problem. Thanks @mmgomess @Skywalker-11

Any idea how to prevent this... It is happening 3 days in a row?

[Skywalker-11]

Can it help to limit the times mailwatch tries to connect to the server in line 321-328 in MailWatch.pm?

The problem with this approach is that the filter lists of mailwatch cannot be applied and so unwanted mails may get through to the recipients.

[branko77]

In which line and how should I limit that? My 321-328 is:

# Connect to server
while (1) {
    socket(TO_SERVER, PF_INET, SOCK_STREAM, getprotobyname("tcp"));
    my $addr = sockaddr_in($server_port, $loop);
    connect(TO_SERVER, $addr) and last;
    # Failed to connect - kick off new child, wait, and try again
    InitMailWatchLogging();
    sleep 5;
}

[mmgomess]

It looks like it's something relative to "SQLBlackWhiteList.pm".

When I remove it from MailScanner.conf the "Denial of Server attack" error stops.

I´m still testing.

2017-01-25 9:20 GMT-02:00 branko77 notifications@github.com:

Stop the Maiscanner. Kill all MailScanner processes that remain in memory and start MailScanner again.

This solved a problem. Thanks @mmgomess https://github.com/mmgomess @Skywalker-11 https://github.com/Skywalker-11

Any idea how to prevent this... I happening 3 days in a row?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mailwatch/1.2.0/issues/430#issuecomment-275083193, or mute the thread https://github.com/notifications/unsubscribe-auth/AJSnk1ovq89tyexkRnP9gnDL6bK5G6QVks5rVy_wgaJpZM4Lq9fW .

[branko77]

hm... could be... I am manually filling black list very very often... Today it stopped after adding another spamming domain in my black list. I thought it was just a coincidence... Please let us know if you find something new.

[mmgomess]

Sorry.

What I really removed from the MailScanner configuration was &MailWatchLogging and not the &SQLWhitelist.

For a while the "Denial of Server attack" error stopped.

2017-01-25 9:56 GMT-02:00 branko77 notifications@github.com:

hm... could be... I am manually filling black list very very often... Today it stopped after adding another spamming domain in my black list. I thought it was just a coincidence... Please let us know if you find something new.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mailwatch/1.2.0/issues/430#issuecomment-275089773, or mute the thread https://github.com/notifications/unsubscribe-auth/AJSnk3CkNB5CX8MOyPMzWbdgPJARkUyDks5rVzhegaJpZM4Lq9fW .

[branko77]

But Mailwatch stopped as well? MailWatch can't work without "&MailWatchLogging" in MailScanner.conf

[mmgomess]

Yes I know, but I did this to confirm whether the error is related to Mailwatch or not.

And it looks like it has.

2017-01-25 10:27 GMT-02:00 branko77 notifications@github.com:

But Mailwatch stopped as well? MailWatch can't work without "&MailWatchLogging" in MailScanner.conf

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mailwatch/1.2.0/issues/430#issuecomment-275095922, or mute the thread https://github.com/notifications/unsubscribe-auth/AJSnk37AglK-M6o9HboEIQsN6E3Bzehdks5rVz-4gaJpZM4Lq9fW .

[branko77]

My Centos 7 just printed this on CLI: Could not use Custom Function code MailScanner::CustomConfig::InitMailWatchLogging, it could not be "eval"ed. Make sure the module is correct with perl -wc (Error: DBD::mysql::st execute failed: Incorrect string value: '\xF0\x9F\x8E\x8E O...' for column 'subject' at row 1 at /usr/share/MailScanner/perl/custom/MailWatch.pm line 138, line 11555. ) at /usr/share/MailScanner/perl/MailScanner/Config.pm line 1053.

Maybe it is related?

[mmgomess]

Most of my clients have Ubuntu servers with MailScanner / Mailwatch.

I just discovered that the error does happen in Ubuntu 16.04 LTS but in Ubuntu 14.04 it does not.

Anybody help us?

2017-01-25 10:40 GMT-02:00 branko77 notifications@github.com:

My Centos 7 just printed this on CLI: Could not use Custom Function code MailScanner::CustomConfig::InitMailWatchLogging, it could not be "eval"ed. Make sure the module is correct with perl -wc (Error: DBD::mysql::st execute failed: Incorrect string value: '\xF0\x9F\x8E\x8E O...' for column 'subject' at row 1 at /usr/share/MailScanner/perl/custom/MailWatch.pm line 138, line 11555. ) at /usr/share/MailScanner/perl/MailScanner/Config.pm line 1053.

Maybe it is related?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mailwatch/1.2.0/issues/430#issuecomment-275098358, or mute the thread https://github.com/notifications/unsubscribe-auth/AJSnkyopfam_Nji06mK6iDKk2fWOKocMks5rV0LPgaJpZM4Lq9fW .

[stefaweb]

Perl version?

Check also perl library version.

[mmgomess]

Ubuntu 16.04 LTS

ii perl 5.22.1-9 amd64 Larry Wall's Practical Extraction and Report Language ii perl-base 5.22.1-9 amd64 minimal Perl system ii perl-doc 5.22.1-9 all Perl documentation ii perl-modules-5.22 5.22.1-9 all Core Perl modules

2017-01-25 13:36 GMT-02:00 Stéphane notifications@github.com:

Perl version?

Check also perl library version.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mailwatch/1.2.0/issues/430#issuecomment-275140670, or mute the thread https://github.com/notifications/unsubscribe-auth/AJSnk7rY3mhrx_0wBeWi1fJpG7vVZbcKks5rV2v-gaJpZM4Lq9fW .

[stefaweb]

And for Ubuntu 14.04?

[mmgomess]

Ubuntu 14.04 LTS

perl 5.18.2-2ubuntu1.1 amd64 Larry Wall's Practical Extraction and Report Language perl-base 5.18.2-2ubuntu1.1 amd64 minimal Perl system perl-doc 5.18.2-2ubuntu1.1 all Perl documentation perl-modules 5.18.2-2ubuntu1.1 all Core Perl modules

2017-01-25 14:49 GMT-02:00 Stéphane notifications@github.com:

And for Ubuntu 14.04?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mailwatch/1.2.0/issues/430#issuecomment-275162802, or mute the thread https://github.com/notifications/unsubscribe-auth/AJSnk1xPoyj2bKXl3aPuXw4GB91J1RXkks5rV30vgaJpZM4Lq9fW .

[geeknocity]

I have had this same problem ever since I started using MailScanner. Which has only been about 2 months. But kind of a pain. I just restarted my server because it did it. Once it does it again I will try killing MailScanner to see if that will re enable logging. I do have dbilogging turned on...but have never found anything relevant in there.

[Skywalker-11]

I had the same error after updating the mysql server and solved it by updating the perl modules with cpan -u (debian 8).

[stefaweb]

cpan -u can break the system and cause conflict with os packaged perl module. It will be a better choice to know which perl module cause the problem and need to be upgraded.

[geeknocity]

Mine just crapped out again. I did service mailscanner stop, then ps -aux |grep MailScanner and killed the PID. Then service mailscanner start, and it was working again. So that is why restarting mailscanner didn't work. That last one stays open. So when this happens again, how can I get you guys more information?? What should I try?

[mmgomess]

I ran the "cpan -u" with did not work.

Confirmed that the problem occurs only in Ubuntu 16.06 when MailScanner is working with the MailWatch modules.

There is a problem with MailWatch and Ubuntu 16.04.

2017-01-25 18:37 GMT-02:00 jch2os14 notifications@github.com:

Mine just crapped out again. I did service mailscanner stop, then ps -aux |grep MailScanner and killed the PID. Then service mailscanner start, and it was working again. So that is why restarting mailscanner didn't work. That last one stays open. So when this happens again, how can I get you guys more information?? What should I try?

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mailwatch/1.2.0/issues/430#issuecomment-275225863, or mute the thread https://github.com/notifications/unsubscribe-auth/AJSnk7TIl0pvuFWVycdZGAv5lLoPMKL8ks5rV7KbgaJpZM4Lq9fW .

[branko77]

But I need to add that the same problem occurs with Centos 7.

[Skywalker-11]

How many mails do your servers process?

[branko77]

lets say roughly around 2000 per day...

[asuweb]

It works fine on centos 6. I remember giving up with centos 7 a while back but can't remember what the issue was. I think it was a mailscanner rather than mailwatch issue, but not 100% certain.

I'm planning to deploy a second node shortly - I'll do it with centos 7 and see if I can find the issue.

[mmgomess]

I also discovered that if you change the "Dangerous Content Scanning" parameter from "yes" to "no" in MailScanner.conf the error also stops.

2017-01-26 13:09 GMT-02:00 asuweb notifications@github.com:

It works fine on centos 6. I remember giving up with centos 7 a while back but can't remember what the issue was.

I'm planning to deploy a second node shortly - I'll do it with centos 7 and see if I can find the issue.

— You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub https://github.com/mailwatch/1.2.0/issues/430#issuecomment-275411901, or mute the thread https://github.com/notifications/unsubscribe-auth/AJSnkyn-HcRlLCwb4DMPaVpMNuj4k4dhks5rWLcjgaJpZM4Lq9fW .

[stefaweb]

Denial Of Service attack / mailscanner / crash Found this: https://forum.efa-project.org/viewtopic.php?t=1804

[branko77]

I also found those "KILLED HTML bla bla bla" lines in my maillog... maybe it is related to the issue

On Jan 26, 2017 17:48, "Stéphane" notifications@github.com wrote:

Denial Of Service attack / mailscanner / crash Found this: https://forum.efa-project.org/viewtopic.php?t=1804

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/mailwatch/1.2.0/issues/430#issuecomment-275440895, or mute the thread https://github.com/notifications/unsubscribe-auth/AXbXsN_XbTBmpoPqwqH3oha3tElcm-03ks5rWM4ygaJpZM4Lq9fW .

[branko77]

In addition, in my daily Logwatch I see in Clamav section following:

Unmatched Entries TCP: Cannot bind to [0.0.0.0]:3310: Address already in use ERROR: TCP: Cannot bind to [0.0.0.0]:3310: Address already in use ERROR: TCP: Cannot bind to [::]:3310: Address already in use ERROR: Not listening on any interfaces

[branko77]

I had a same problem yesterday and once again this morning, so I inspected my conf files once again. I just learned that my MailScanner.conf had commented lines: Is Definitely Not Spam = &SQLWhitelist Is Definitely Spam = &SQLBlacklist

I am not sure why those lines were commented, but now I removed # in front of them and restarted MailScanner service. If problem occurs once again I am afraid that I will need to disable MailWatch. It is to much stressed to think all the time if it is ok or not. :-(

[asuweb]

Is there a reason you are binding clam to all interfaces?

Try binding clam to the 127.0.0.1 and see if that issue goes away.

It sounds like you might need to do a thorough review of your configuration files to track down the issue. I've always found it an issue upgrading either mailscanner or mailwatch as often there are bits left over or moved in a file that are hard to track down.

[stefaweb]

If can help, my config in /etc/MailScanner/conf.d/myconfig.conf

# MailScanner configuration file for myhost.domaine.tld
# 07/01/2017

%org-name% = MyOrg
%org-long-name% = MyOrg
%web-site% = www.domain.tld
%report-dir% = /usr/share/MailScanner/reports/en

Max Children = 10
Run As User = Debian-exim
Run As Group = Debian-exim
Queue Scan Interval = 6
Incoming Queue Dir = /var/spool/exim4/input
Outgoing Queue Dir = /var/spool/exim4_outgoing/input
PID file = /var/run/MailScanner.pid
Restart Every = 3600

MTA = exim
Sendmail = /usr/sbin/exim4
Sendmail2 = /usr/sbin/exim4 -DOUTGOING
Incoming Work User = Debian-exim
Incoming Work Group = mtagroup
Incoming Work Permissions = 0660
Quarantine User = Debian-exim
Quarantine Group = mtagroup
Quarantine Permissions = 0644
Max Unscanned Messages Per Scan = 50
Max Unsafe Messages Per Scan = 50
Max Normal Queue Size = 2000
Deliver Unparsable TNEF = yes
TNEF Expander = /usr/bin/tnef --maxsize=100000000
Find UU-Encoded Files = yes

Virus Scanners = clamd
Virus Names Which Are Spam = Sane*UNOFFICIAL HTML/* *Phish* MBL*UNOFFICIAL *SecuriteInfo*UNOFFICIAL INetMsg.SpamDomain*UNOFFICIAL NPGX.DomainAddr*UNOFFICIAL NPGX.EmailAddr.*UNOFFICIAL winnow*UNOFFICIAL ScamNailer*UNOFFICIAL Bofhland*UNOFFICIAL Porcupine*UNOFFICIAL *Zip.Suspect*
Allow Password-Protected Archives = yes
Clamd Socket = /var/run/clamav/clamd.ctl
Clamd Lock File = /var/run/clamav/clamd.pid
Clamd Use Threads = no
Monitors for ClamAV Updates = /var/lib/clamav/*.cld /var/lib/clamav/*.cvd

Use Stricter Phishing Net = no
Quarantine Infections = no
Quarantine Whole Message = yes
Quarantine Whole Messages As Queue Files = no
Include Scores In SpamAssassin Report = yes
SpamScore Number Instead Of Stars = yes
Detailed Spam Report = yes

Hostname = myhost.domaine.tld

Sign Clean Messages = no
Notify Senders = no
Notify Senders Of Blocked Filenames Or Filetypes = no
Notify Senders Of Other Blocked Content = no

Scanned Subject Text = {Scanné}
Virus Subject Text = {Virus ?}
Filename Subject Text = {Fichier ?}
Content Subject Text = {Contenu dangereux ?}
Size Subject Text = {Taille}
Disarmed Modify Subject = no
Disarmed Subject Text = {Script inactivé}
Phishing Subject Text = {Fraude ?}
Spam Subject Text = {Spam ?}
High Scoring Spam Subject Text = {Spam ?}
Warning Is Attachment = no

Send Notices = no
Spam List = spamhaus-ZEN spamcop.net barracuda
Is Definitely Not Spam = &SQLWhitelist
Is Definitely Spam = &SQLBlacklist
Max Spam Check Size = 2048k

# For testing
#Use SpamAssassin = yes
#Required SpamAssassin Score = 5
#High SpamAssassin Score = 15

Use SpamAssassin = &SQLNoScan
Required SpamAssassin Score = &SQLSpamScores
High SpamAssassin Score = &SQLHighSpamScores

Rebuild Bayes Every = 604800
Wait During Bayes Rebuild = yes

Spam Actions = store
High Scoring Spam Actions = delete
Bounce Spam As Attachment = yes

Log Speed = yes
Log Spam = yes

SpamAssassin User State Dir = /var/lib/MailScanner
SpamAssassin Local State Dir = /var/lib/spamassassin
Always Looked Up Last = &MailWatchLogging

# To be loaded after %org-name%
Spam-Virus Header = X-%org-name%-MailScanner-SpamVirus-Report:
Mail Header = X-%org-name%-MailScanner:
Spam Header = X-%org-name%-MailScanner-SpamCheck:
Spam Score Header = X-%org-name%-MailScanner-SpamScore:
Information Header = X-%org-name%-MailScanner-Information:
Envelope From Header = X-%org-name%-MailScanner-From:
Envelope To Header = X-%org-name%-MailScanner-To:
ID Header = X-%org-name%-MailScanner-ID:
IP Protocol Version Header = # X-%org-name%-MailScanner-IP-Protocol:
Hostname = The %org-name% ($HOSTNAME) MailScanner
Attachment Warning Filename = %org-name%-Attachment-Warning.txt
Watermark Secret = %org-name%-Secret
Watermark Header = X-%org-name%-MailScanner-Watermark:
MCP Header = X-%org-name%-MailScanner-MCPCheck:

# End Of File

In /etc/MailScanner/spamassassin.conf

# =============== MailScanner: spam.assassin.prefs.conf ===============

# SpamAssassin preferences for MailScanner users should be placed in
# this file to avoid being overwritten by a SpamAssassin upgrade.
# For a complete listing of configurable parameters, please see:
#
#   http://www.spamassassin.org/doc/Mail_SpamAssassin_Conf.html

# =============== SpamAssassin Preferences ===============

# This file is linked to mailscanner.cf. The mailscanner.cf link is put
# into the site_rules directory by the MailScanner installation scripts. You
# can find the directory where the link is, and where all your site-specific
# SpamAssassin files should be, by running this perl script:
#
# perl -MMail::SpamAssassin -e 'print Mail::SpamAssassin->new->first_existing_path(@Mail::SpamAssassin::site_rules_path)'
#
# If you don't have SpamAssassin installed, then I advise you install
# it. Without it, you won't catch much spam. There is an easy-to-install
# ClamAV and SpamAssassin installation package included on the MailScanner
# downloads page on the web.
#
# This file is no longer read specially by MailScanner when it starts up
# SpamAssassin, it relies on the link being in place to force SpamAssassin
# to read the file automatically on its own during its startup code. So
# you must have the link in place, or else this file is not read.
#
# To check your configuration, run the command
# spamassassin -D --lint

# ================== Settings For SpamAssassin ===========================

# dns_available { yes | test[: name1 name2...] | no } (default: test)
# By default, SpamAssassin will query some default hosts on the internet
# to attempt to check if DNS is working on not. The problem is that it can
# introduce some delay if your network connection is down, and in some
# cases it can wrongly guess that DNS is unavailable because the test
# connections failed. SpamAssassin includes a default set of 13 servers,
# among which 3 are picked randomly.

dns_available yes

# =============== White list and Black list addresses ===============

# While you can white list here but see below for a better place.

# White list addresses should be added in

#   /etc/MailScanner/rules/spam.whitelist.rules

# Black list addresses should be added in

#   /etc/MailScanner/rules/spam.blacklist.rules

# FSL Notes: we need to set the default rule for:
# Is Definitely Spam = no
# to:
#   %rules-dir/spam.blacklist.rules
# and create a default rules-dir/spam.blacklist.rules file

# =============== OK Locales ===============

# ok_locales        en

# =============== Bayesian Filtering ===============

# By default, the Bayesian engine is used. This is a real CPU hog
# and uses a lot of system resources to work.
# On a small overloaded system, you might need to disable it.

# use_bayes 0

# If your root filesystem is filling up because SpamAssassin is putting
# large databases in /.spamassassin or /root/.spamassassin, you can
# move them using the following lines to point to their new locations.
# The last part of the path is not a directory name, but actually the
# start of the filenames. So with the settings below, the Bayes files
# will be created as /var/spool/spamassassin/bayes_msgcount, etc.

# FSL Note: we need to coordinate the Bayes File Placement
# With MailWatch

# bayes_path should NOT be directory!
# The Rules_du_jour script will choke if it is a directory.
# It needs to be a full pathname, PLUS a partial filename.
# In this example, the trailing "bayes" will be the "bayes*" +
# files in the directory "/etc/MailScanner/bayes/"
# Thanks to Matt Kettler for pointing this out.
#bayes_path /etc/MailScanner/bayes/bayes

# Setup for Bayes using MySQL
bayes_store_module              Mail::SpamAssassin::BayesStore::MySQL
bayes_sql_dsn                   DBI:mysql:mailscanner:localhost
bayes_sql_username              mailwatch
bayes_sql_password              xxxxx

auto_whitelist_factory          Mail::SpamAssassin::SQLBasedAddrList
user_awl_dsn                    DBI:mysql:mailscanner:localhost
user_awl_sql_username           mailwatch
user_awl_sql_password           xxxxx

bayes_sql_override_username     mailscanner

# This is actually used as a mask, not a raw chmod setting.
# Thanks for Matt Kettler for spotting this one.
# Commented out: this if for MailWatch and Exim/Postfix users only.
# bayes_file_mode 0770

# Bump up SpamAssassin scores on the high and low end
# score BAYES_00 -15.0
# score BAYES_05 -5.0
# score BAYES_95 5.0
# score BAYES_99 15.0

# To disable bayes autolearn
# bayes_auto_learn 0

# For feeding spam and and ham for saved messages, mailboxes
# or directories:

# This MUST be customized for each site :(

# Change X-YOURDOMAIN-COM to match your %org-name% as
# set in MailScanner.conf

bayes_ignore_header xxxxx-MailScanner
bayes_ignore_header xxxxx-MailScanner-SpamCheck
bayes_ignore_header xxxxx-MailScanner-SpamScore
bayes_ignore_header xxxxx-MailScanner-Information

# When using the scheduled Bayes expiry feature, in MailScanner.conf
# you probably want to turn off auto-expiry in SpamAssassin as it will
# rarely complete before it is killed for taking too long.
# You will just end up with # MailScanner: big bayes_toks.new files
# wasting space.

# FSL Note: we run Bayes expire from a cron job

#bayes_auto_expire 0

bayes_expiry_max_db_size 800000

# If you are using a UNIX machine with all database files on local disks,
# and no sharing of those databases across NFS filesystems, you can use a
# more efficient, but non-NFS-safe, locking mechanism.   Do this by adding
# the line "lock_method flock" to the /etc/mail/spamassassin/local.cf
# file. This is strongly recommended if you're not using NFS, as it is
# much faster than the NFS-safe locker.

lock_method flock

# The --auto-whitelist and -a options for "spamd" and "spamassassin" to
# turn on the auto-whitelist have been removed and replaced by the
# "use_auto_whitelist" configuration option which is also now turned on by
# default.

# only use this setting if you have the SA plugin enabled. otherwise,
# it will throw an error in SA. (JB 18 FEB 2015)
#
# use_auto_whitelist 0

# =============== RBSL related items ===============

# By default, SpamAssassin will run RBL checks.  If your ISP already
# does this, stop RBL checks in SpamAssassin by un-commenting  the
# following line
# skip_rbl_checks   1

# paths to utilities
#ifplugin Mail::SpamAssassin::Plugin::Pyzor
#pyzor_path /usr/bin/pyzor
#endif

ifplugin Mail::SpamAssassin::Plugin::DCC
dcc_path /usr/local/bin/dccproc
endif

# Uncomment the lines below to stop using the specific service
# To stop Razor2 checks, uncomment the following line
# use_razor2        0
# To stop DCC checks, uncomment the following line
#  use_dcc      0
# To stop Pyzor checks, uncomment the following line
#  use_pyzor    0

# The timeouts for blacklists and Razor are rather generous in the
# default state that SpamAssassin is shipped. Reducing these
# stops a lot of timeouts from removing SpamAssassin scores
# altogether.

rbl_timeout 5
#razor_timeout 5
pyzor_timeout 5

# If you specify these scores, SpamAssassin will do RBL checks as well
# as MailScanner, which just wastes CPU power and network bandwidth.
# Either do them here by un-commenting the rules below
# (if you have paid for them) or else uncomment the "skip_rbl_checks" #
# line above and let MailScanner do the checks instead.

# These next 3 will cost you money, see mailscanner.conf.
#score RCVD_IN_RBL               10
#score RCVD_IN_RSS               1
#score RCVD_IN_DUL               1

# =============== SpamAssassin Header Processing ===============

# SpamAssassin will attempt to discover the address used in the 'MAIL FROM:'
# phase of the SMTP transaction that delivered this message, if this data
# has been made available by the SMTP server. This is used in the EnvelopeFrom
# pseudo-header, and for various rules such as SPF checking.

# This should be explicitly set for MailScanner
envelope_sender_header X-xxxxx-MailScanner-From

# =============== Adding SpamAssassin Rules ===============

# Add your own customized scores for some tests below.  The default
# scores are read from the installed "spamassassin.cf" file, but you
# can override or disable the here.
# To see the list of tests and their default scores, go to
# http://spamassassin.taint.org/tests.html

# These next 3 lines will add a local rule to SpamAssassin to help
# protect you from the friendlygreetings.com nasty-gram which will
# send lots of spam from your PC if you let it. Not really a virus,
# but you don't want your users all clicking on it.

# This is old now.
# header   FRIEND_GREETINGS Subject =~ /you have an E-Card from/i
# describe FRIEND_GREETINGS Nasty E-card from FriendGreetings.com
# score    FRIEND_GREETINGS 100.0
# header   FRIEND_GREETINGS2    Subject =~ /you have a greeting card from/i
# describe FRIEND_GREETINGS2    Nasty E-card from FriendGreetings.com
# score    FRIEND_GREETINGS2    100.0

# =============== Disable SpamAssassin Rules ===============

# To disable a SpamAssassin rule simply add an uncommented
# line similar to:
# score SUBJ_ILLEGAL_CHARS 0.0

# =============== Change SpamAssassin Rules scores ===============

# To Change a SpamAssassin rule Score simply add an uncommented
# line similar to:
# score SUBJ_ILLEGAL_CHARS 2.1

# =============== Special Case Rules ===============

# added Mon Jan 12 16:14:04 EST 2004 to stop the forgers of
# Not needed ins SA 3.0
# HABEAUS headers
# score HABEAS_SWE -2.0
#### Special Case Rules #####

# =============== Historic Rules ===============

# Osirusoft RBSL is dead
# score RCVD_IN_OSIRUSOFT_COM 0.0
# score X_OSIRU_OPEN_RELAY 0.0
# score X_OSIRU_DUL 0.0
# score X_OSIRU_SPAM_SRC 0.0
# score X_OSIRU_SPAMWARE_SITE 0.0
# score X_OSIRU_DUL_FH 0.0

# score RCVD_IN_RFCI 0.0
# score DNS_FROM_RFCI_DSN 0.0

# =============== Your Edits Go Here  ===============

# Increased threshold for blacklisted spam URL's
score RCVD_IN_PBL           1.50
score RAZOR2_CF_RANGE_E4_51_100         4.50
score BAYES_50                          2.50
score RAZOR2_CHECK                      2.50
score BAYES_99                         15.00
score BAYES_95              4.50
score BAYES_80                          5.10
score BAYES_60                          2.00
score BAYES_00                  -1.50
score RCVD_IN_BL_SPAMCOP_NET        4.0
describe RCVD_IN_BRBL_LASTEXT Last external relay in Barracuda BRBL
score RCVD_IN_BRBL_LASTEXT              4.0

# SPF
# Note that the benefit for a valid SPF record is deliberately minimal; it's
# likely that more spammers would quickly move to setting valid SPF records
# otherwise.  The penalties for an *incorrect* record, however, are large.  ;)
ifplugin Mail::SpamAssassin::Plugin::SPF
score SPF_PASS -0.001
score SPF_HELO_PASS -0.001
score SPF_FAIL 0 1.333 0 1.142
score SPF_HELO_FAIL 0
score SPF_HELO_NEUTRAL 0
score SPF_HELO_SOFTFAIL 0 2.078 0 2.432
score SPF_NEUTRAL 0 1.379 0 1.069
score SPF_SOFTFAIL 0 1.470 0 1.384
endif # Mail::SpamAssassin::Plugin::SPF

# Steve@fsl.com edit Sun Jan 16 12:17:16 CST 2005
# disable the ALL_TRUSTED ruleset that comes with SA 3.x.
# It's generating too many false positives

# If you have problems where ALL_TRUSTED is matching external email,
# including spam, then SpamAssassin has become confused about which hosts are
# a part of your trusted_networks. The most common cause of this is having a
# gateway mail exchanger that has a reserved IP and gets NATed by your
# firewall. Fortunately the problem is easy to fix by manually declaring a
# trusted_networks setting. See man Mail::SpamAssassin::Conf for details.
# Once manually set, SA won't try to guess.
#
# If that does not fix your problem, the other possibility is you have an MTA
# that generates malformed Received: headers. If you've modified your
# Received: header format, please put it back to the standard format.
# SpamAssassin is quite tolerant of deviations from the RFC 2822 format, but
# there are some combinations it can't handle. If the malformed headers are
# being made by some form of network appliance that you can't fix, report a
# bug to your vendor, and as a short-term fix set the score of ALL_TRUSTED to
# 0. However, realize that other problems may occur as a result of the
# mis-parsed headers and the root cause does need fixing.
#
#score ALL_TRUSTED 0

#
# The header name in the next line must have your %org-name% added into it,
# so that it matches what is set in "Spam-Virus Header" in your
# MailScanner.conf file.
#
# IMPORTANT TO HAVE UNOFFICIAL RULES IN CLAMAV WORKING
header MS_FOUND_SPAMVIRUS exists:X-xxxxx-MailScanner-SpamVirus-Report
describe MS_FOUND_SPAMVIRUS ClamAV found a Spam Virus via MailScanner
score  MS_FOUND_SPAMVIRUS 6.0

And in /etc/group

Debian-exim:x:109:clamav
mtagroup:x:1001:clamav,Debian-exim,mail,mailwatch

[branko77]

Try binding clam to the 127.0.0.1 and see if that issue goes away.

How should I do that?